I am playing with Podman and I hit a weird issue with "overlay
userxattr" (i think)
kcinimod@brutus ~ $ podman run --privileged -ti --security-opt label=type:unprivcontainer.subj --security-opt label=user:wheel.id --security-opt label=role:wheel.role --security-opt label=level:s0 docker.io/library/debian:bullseye-slim
overlay on / type overlay (rw,relatime,context=sys.id:sys.role:containers.state.file:s0,lowerdir=/home/kcinimod/.local/share/containers/storage/overlay/l/FPIF7LXLIM5QBYHUHAUCYFLEI2:/home/kcinimod/.local/share/containers/storage/overlay/l/KLTLS5C6XS5QGTXVJF3WR7C7QT,upperdir=/home/kcinimod/.local/share/containers/storage/overlay/c57e0d37827226729251593f1ae87cdf40eaa1615e29f5c76459dae33f00b940/diff,workdir=/home/kcinimod/.local/share/containers/storage/overlay/c57e0d37827226729251593f1ae87cdf40eaa1615e29f5c76459dae33f00b940/work,userxattr)
Dec 11 16:54:18 brutus conmon[167588]: touch: cannot touch 'test': Permission denied
Dec 11 16:54:18 brutus audit[167608]: AVC avc: denied { create } for pid=167608 comm="touch" name="test" scontext=wheel.id:wheel.role:unprivcontainer.subj:s0 tcontext=wheel.id:sys.role:containers.state.file:s0 tclass=file permissive=0
Note how it tries to create "test" with sys.role (object_r) and how it
does not adhere to the hosts default_role rules:
root@brutus:~# seinfo --default | grep "role file"
default_role file source;
It works fine for "defaultuser", and I assume for "defaultrange" as
well.
Does anyone recognise this behavior in the SELinux kernel code?
--
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
